Drupal Webform: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Webform, in order to execute JavaScript code in the context of the web site.Impacted products:Drupal Modules ~ not comprehensive.Severity: 2/4.Creation date: 13/02/2014.Identifiers: BID-65525, BID-65528, CVE-2014-8318, DRUPAL-SA-CONTRIB-2014-018, VIGILANCE-VUL-14244.

Description of the vulnerability

The Webform module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.